An ethical hacker’s perspective on EASM

Gunnar Andrews discusses how ethical hackers can look to EASM techniques to help increase their ethical hacking skills. For organizations, this article gives insight into the methods and types of information that ethical hackers or even malicious attackers will collect to increase knowledge about an organization’s assets. 

What is EASM?

External Attack Surface Management (EASM) is the discovery and assessment of an organization’s publicly facing IT assets. Effective EASM continuously monitors your assets for availability, vulnerabilities, and updates. As your attack surface grows, monitoring your organization’s external assets becomes more important.

Why is EASM important?

Ephemeral bugs

Persistent bugs, such as a cross-site scripting vulnerability, can be present in an organization’s attack surface for an extended period and will remain until the asset is removed or an update is pushed to remove the vulnerability. On the other hand, ephemeral bugs are bugs that only exist for a short time and then disappear.

As an example, let’s say that a subdomain is vulnerable to a subdomain takeover for a total of 1 hour. During that hour, 10,000 people visit the subdomain. If a malicious attacker has control of the subdomain at that time, the risk of subdomain takeover is very high. An effective EASM program that continuously monitors assets will likely catch these short-lived, high-risk vulnerabilities before malicious attackers do.

Shadow IT assets

Shadow IT assets are assets that get deployed unknowingly. Unknown assets are dangerous as they do not receive regular vulnerability testing, updates, or upgrades and may not be removed when they are no longer used. It is not unusual, especially in larger organizations, to uncover assets on your attack surface that the security department is not aware of. Discovering these assets and monitoring them is a critical factor of EASM.

Out-of-date assets

Software requires regular updates to improve usability and fix vulnerabilities. Hackers actively search for assets running out-of-date software because it is a strong indicator that the host may be vulnerable. Assets could be anything from old javascript libraries to FTP servers to WordPress plugins. Beyond being an indicator of vulnerability, out-of-date assets are also often vulnerable to known CVEs, making an attack trivial for an opportunist malicious attacker.

Acquisitions

When one organization acquires another, they are also acquiring its attack surface. Even if the parent organization has iron-clad security, the organization they recently acquired could be a whole different story. These assets can take a while to be discovered, scanned, and remediated. Acquisitions present a perfect opportunity for ethical hackers to expand their knowledge of an organization’s attack surface, but worst of all, potential opportunities for malicious attackers to exploit. If your organization recently acquired another company, be sure to add those digital assets to your EASM pipeline.

Read more: How attack surface management helps during an M&A process 

Asset visibility

A well-documented attack surface will include detailed information about each available asset. The types and depth of information will differ and may include:

• Ports
• DNS records
• Technologies
• Directories/Endpoints
• Parameters
• Certificate information

EASM for ethical hackers

Just as an organization needs EASM to defend its attack surface, an ethical hacker may use EASM techniques as part of its bug bounty efforts. Let’s take a look at some types of information that may be extremely valuable to an ethical hacker, which in the hands of a malicious attacker, could prove to be exploitable attack vectors.  

Domains and subdomains

The process of gathering domains and subdomains usually starts with a list of root domains to enumerate subdomains from using a variety of methods, including:

• Passive recon APIs
• Brute-forcing
• Spidering/Crawling
• Permutations

Hackers will look for open ports, running services, DNS records, and endpoints, and may keep a current list of domains so that they don’t miss any or waste time trying to attack one that is offline.

IPs, IP ranges, and ASNs

IP addresses are another asset identifier. Knowing the IP ranges and autonomous system numbers (ASNs) of a target can enable hackers to discover more assets. Multiple domains can resolve to the same IP address (virtual hosts) so scanning IP ranges and ASNs using reverse IP lookups could turn 10 IP addresses into 50 domains, rapidly expanding the attack surface.

Technologies being used

Hackers will dive deeper into identified domains and IP addresses by port scanning and then checking those ports for technologies and running services. Fingerprinting these technologies allows hackers to narrow down what testing they should perform on each asset. If hackers see a web port running on WordPress, they would include test cases for WordPress. If they learn that the web application is written using a javascript framework with some PHP, they probably don’t have to do in-depth fuzzing for .NET files/endpoints. Using technology fingerprints to hone hacking can save hackers a lot of time.

Changes to assets: The early bird catches the worm bug

Monitoring your attack surface is just as important as discovering assets. Some changes that hackers may monitor for are:

• Assets going online/offline
• DNS record changes
• New ports being opened
• Version updates on software
• New features being deployed
• Changes in responses

Code repositories

Repositories can contain sensitive data including environment files, database credentials, internal endpoints and a variety of tokens and keys. For this reason, source code repositories are an important asset included in a hackers EASM workflow. Active repositories constantly change so hackers will likely monitor updates to the code base too. For further information on basic code review from a hacker’s perspective, here’s a great video by LiveOverflow.

Registries for docker images and software libraries

Registries holding images containing software will be part of a hackers EASM. Well-known security researchers have found some very complex bugs by pulling software off docker images found on public registries. This can be achieved by:

• Deploying the image as a container
• Pulling the software off the container
• Reverse engineering the software back to the source code.

This can expose secrets and vulnerabilities in the source code.

Organizations, start thinking like a hacker

Whether it’s finding long-forgotten shadow IT assets, new assets from a recent acquisition or being the first to catch on to a new web application on port 8080, hackers can look to EASM techniques to help increase their knowledge about an organization’s assets. For ethical hackers, this can prove fruitful when it comes to bug bounty or responsible disclosure programs. Malicious attackers, however, could take the opportunity to exploit this kind of information. That’s why organizations should start thinking like hackers when it comes to their assets. Implementing a continuous EASM program will help uncover an organization’s Internet-facing assets and look for the vulnerabilities before a malicious hacker potentially does this.

Written by:
Gunnar Andrews

My online alias is G0lden. I am a hacker out of the midwest United States. I came into the hacking world through corporate jobs out of college, and I also do bug bounties. I enjoy finding new ways to hunt bugs and cutting-edge new tools. Making new connections with fellow hackers is the best part of this community for me!